Foundernotes
[ Back to Welcome Page ]

Legal

Privacy Policy

1. Privacy at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website or use our web application. Personal data is any data with which you can be personally identified.

Data Collection on Our Website

The data processing on this website is carried out by the website operator. You can find their contact details in the Imprint section of this website.

Your data is collected on the one hand because you communicate it to us (e.g., by entering your email address during registration or by filling out your strategic journal chapters). Other data is collected automatically by our IT systems when you visit the website (e.g., IP address, browser type, or time of page access).

2. General Information and Mandatory Disclosures

Controller

The controller responsible for data processing on this website is:

Caroline Schmidt
Brabanter Straße 25
50672 Köln
E-Mail: caroline.schmidt.28@gmail.com

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g., names, email addresses, etc.).

Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. An informal email to us is sufficient for this purpose. The legality of the data processing carried out up to the revocation remains unaffected by the revocation.

Right to File a Complaint with the Competent Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to file a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work, or the place of the alleged violation.

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format.

Information, Erasure, and Rectification

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient, and the purpose of the data processing, and, if necessary, a right to rectification or erasure of this data.

3. Data Processing in the Foundernotes App

Registration and User Account

When you register in the Foundernotes app, we collect your email address in order to create your user account, grant you access to your saved chapters, and authenticate you.

Legal Basis: Art. 6(1)(b) GDPR (Fulfillment of contract).

Storage of Your Journal Entries (Supabase & LocalStorage)

The data you enter in Chapters 1 to 6 (such as Founder DNA, Business Model Canvas, Financial Planning, and Feedback Signals) is stored in a secure cloud database (hosted by Supabase) or locally in the browser storage (LocalStorage) so that your progress is preserved.

Legal Basis: Art. 6(1)(b) GDPR (Fulfillment of the interactive notebook service).

Use of the AI Coach (Data Transfer to AI Interfaces)

To provide you with personalized strategic analyses by the “AI Coach,” the texts you enter in the respective chapters are transmitted to artificial intelligence interfaces (APIs of OpenAI or Anthropic).

Important for Your Safety: No sensitive profile data (such as your email address) is transmitted to these AI services. The data transmission is pseudonymized and exclusively for the purpose of text analysis. According to their privacy policies for enterprise APIs, these AI providers do not use this data to train their own models.

Legal Basis: Art. 6(1)(b) GDPR (Fulfillment of the interactive AI coach service).

4. Hosting and Third-Party Providers

Hosting via Lovable / Netlify / Vercel

Our app is operated by an external hosting service provider (e.g., Lovable, Netlify, or Vercel). The personal data collected on this website is stored on the servers of the host (e.g., IP addresses, meta and communication data, website access).

Legal Basis: Art. 6(1)(f) GDPR. Our host processes your data only to the extent necessary to fulfill its service obligations and operates on the basis of a Data Processing Agreement (DPA).

Payment Processing via Paddle (Merchant of Record)

Our order process is conducted by our online reseller Paddle.com Market Limited ("Paddle"). Paddle is the Merchant of Record for all our orders. This means Paddle handles all payment transactions, billing, applicable sales taxes, invoicing, refund processing and related customer service inquiries on our behalf, and will appear on your bank or card statement.

When you make a purchase, the data you provide at checkout (such as your name, email address, billing address, payment method details and IP address) is collected and processed by Paddle as an independent controller for the purposes of completing the transaction, tax compliance, fraud prevention and invoicing. We receive only the information needed to fulfil your order (such as your email, order ID and product purchased). For more information, see Paddle's privacy policy at paddle.com/legal/privacy.

Legal Basis: Art. 6(1)(b) GDPR (performance of the purchase contract) and Art. 6(1)(c) GDPR (compliance with tax and accounting obligations).

5. Data Retention

We only store your personal data for as long as it is necessary for the purposes for which it was collected, or as required by law:

  • Account data (email, authentication data): for the duration of your account. If you delete your account, this data is erased within 30 days, except where longer retention is required by law.
  • Journal entries and chapter content: stored as long as your account exists and deleted together with your account.
  • Transaction and invoice data (processed and stored by Paddle on our behalf): retained for up to 10 years to comply with German tax and commercial law (§ 147 AO, § 257 HGB).
  • Server log files (e.g., IP address, browser type): typically deleted or anonymised within 30 days unless required for security investigations.

6. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:

  • encryption in transit using TLS/HTTPS for all connections;
  • encryption at rest of database content stored with our cloud provider;
  • access controls and authentication, with access to personal data limited to authorised personnel on a need-to-know basis;
  • row-level security policies in the database so that users can only access their own data;
  • contractual safeguards (Data Processing Agreements) with all subprocessors, including hosting, payment processing and AI providers.

Please note that no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.